After a few hours of testing with procmail at the unix
commandline, here's something that appears to work, and will
probably end up on my web page. A running commentary is
given at the end of this message. Note that the first match
line, and both formail lines are long and will be folded on
your screen...
########################################################
MIME_EXPLOIT=0
:0HB
*()\/^Content-Disposition:.*filename=...................................................................
{
:0f
| formail -A "X-Reject: File attachment name greater than 63
characters" -A "X-Suspicious-Line: $MATCH"
MIME_EXPLOIT=1
}
:0BH
* ^Content-Disposition:.*filename=.*([^"]|\\\")$
{
:0f
| formail -A "X-Reject: Content-Disposition: header not
terminated with an unescaped quote" -A "X-Suspicious-Line: $MATCH"
:0
*$ $MIME_EXPLOIT^0
* 1^0
{ MIME_EXPLOIT=$= }
}
:0
*$ $MIME_EXPLOIT^0
junkmail
########################################################
Initialize variable MIME_EXPLOIT to zero. 1st recipe checks
for a blatant long filename. If found
- an X-Reject: header will be inserted...
- an X-Suspicious-Line: header will be inserted, along
with the beginning of the suapicious line
- MIME_EXPLOIT will be set to 1
The 2nd recipe checks for "stealth" long filenames. If
Content-Disposition: is not terminated with a quote or if
it's terminated with an *ESCAPED* quote, (same difference)
then it can be continued on the following line to give a
long filename. If such a condition is found...
- an X-Reject: header will be inserted...
- an X-Suspicious-Line: header will be inserted, along
with the beginning of the suapicious line
- MIME_EXPLOIT will be incremented by 1
Finally, check if MIME_EXPLOIT > 0. If so, dump the email
to the junkmail file.
I hope to have this up on my SpamDunk Project webpage
later today (Sunday).
--
Walter Dnes <waltdnes(_at_)interlog(_dot_)com> procmail spamfilter
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
Why a fiscal conservative opposes Toronto 2008 OWE-lympics
http://www.interlog.com/~waltdnes/owe-lympics/owe-lympics.htm